Break the Scarfo Silence

The government is determined to keep a lid on its new keyboard-tapping tech, but the courts, public and press need to know more

September 4, 2001, 12:00 AM EDT

By Mark Rasch

In January 1999, agents of the FBI raided the offices of Nicodemo S.
Scarfo, a reputed Philadelphia underworld figure, searching for evidence
of illegal gambling operations. Armed with a search warrant, the agents
searched for and seized files contained on his computer, including a
single file that was encrypted using the commercial software PGP.

According to documents later filed with the court, the government believed
that the encrypted file was relevant to the gambling investigation, and
that it was covered by the court order. Unfortunately, as the government
told the court, their "normal investigative procedures to decrypt the
codes" were unsuccessful. The government was then in a quandary.

In an effort to decipher the contents of the previously seized encrypted
file, the government, on May 8, 1999, applied to a Untied States
Magistrate Judge C. Donald Haneke for a court order permitting them to
install what they described as a "keystroke logger" on Scarfo's computer.
The government, under the laws that permit search and seizure, and under
the court's inherent authority to issue orders to effectuate its own
powers, requested authority from the court to install "software, firmware
and/or hardware" to "monitor the inputted data on Nicodemo S. Scarfo's
computer" to attempt to capture the PGP pass phrase.

The government went further, asking the court to excuse it from the normal
requirements that it leave a copy of the search warrant after conducting
the search, and permitting what is sometimes called a "no-knock" warrant.
Based upon the government's affidavits and submissions, the magistrate
signed an order, based on a finding of probable cause to believe there was
evidence of a crime in the encrypted file, permitting the government to
enter Scarfo's office, install the key logger and capture keystrokes.

The court described the program as a "specialized computer program to
search for and seize computer passwords and keys." The key logger was in
place for two months, after which the court permitted the government to
retrieve the output. Contained in the output file was only 45 pages of
keystrokes, including literally hundreds of keystrokes such as or similar
"nonsense" characters.

On the last entry of the last page of the key log file was an entry that
included Scarfo's PGP pass phrase, which by happenstance, was his father's
federal Bureau of Prisons ID number. The government then used this
information to decrypt the encrypted file.

Earlier this year, in a courthouse in Newark, New Jersey, Scarfo's lawyers
moved to suppress the results of the search made by the key logger as
being both an unreasonable search and seizure, and an illegal wiretap.
They also requested that the government reveal precisely what the key
logger was, how it worked, what it searched for, and how it seized
evidence --- matters never disclosed to the magistrate who issued the
order that it be installed.

Because the federal rules governing criminal discovery provide very
limited disclosure requirements, the government refused to disclose any
details about the key logger. The government also stated that "the FBI's
key logger system is a highly sensitive law enforcement search and seizure
technique" and that disclosure of the technique would compromise both law
enforcement investigations and national security.

This was accompanied by a lengthy affidavit from the head of the FBI
laboratory, indicating that only 30 people in the world were privy to the
inner working of the key logger system, and that disclosure would
invariably injure ongoing investigations. Moreover, the government
contended in a pleading filed with the New Jersey judge, the laws
regarding electronic wiretaps were not implicated in this case because the
key logger was configured not to capture communications emanating from
Scarfo's computer via modem to the outside world.

The Federal District Judge disagreed, and ordered the government to
demonstrate precisely how national security would be implicated if the
materials were disclosed. The government responded by asserting that the
key logger system itself was "classified" and therefore invoked provisions
of federal law that limit or preclude the disclosure of classified
information. At present, no disclosure has been made to the defense or to
the court about how the key logger worked.

LEGAL REGIME. Did the government overreach in this case? Was the installation and
monitoring of the key logger program a violation of the federal wiretap
law?

Clearly the government had a legitimate interest in conducting a criminal
investigation of Nicky Scarfo. The magistrate found probable cause to
search the computer and to seize the pass phrase. Courts routinely permit
the installation of hidden video cameras or surveillance. Indeed, only
days after the government filed its classified motion, they revealed in
another case that they had installed a hidden camera at a TRW's offices to
monitor Brian P. Regan, suspected of spying for Libya, and to watch him
sending emails containing classified information.

But there are limits to government surveillance. There are essentially
three limitations on the scope of government searches and seizures. They
are the Fourth Amendment itself, federal rules on the issuance of search
warrants, and federal laws regarding "electronic surveillance."

The Fourth Amendment by its terms provides that: "[t]he right of the
people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated, and no Warrants
shall issue, but upon probable cause, supported by Oath or affirmation,
and particularly describing the place to be searched, and the persons or
things to be seized."

Thus, the Constitution requires that the conduct be considered a "search"
or seizure, that it be reasonable, and that if searched pursuant to a
warrant, there be a finding by a neutral and detached magistrate that
there is probable cause.

Finally, the Constitution mandates that there be specificity --- that the
warrant provide sufficient detail about what is to be searched for and
seized --- and not merely act as a "general warrant."

Complaints that the government violated Scarfo's privacy by installing the
key logger are likely to be unavailing. All search warrants violate
privacy --- that is the essential nature of a court ordered search. The
court made a finding, which the government agents are generally entitled
to rely upon unless secured in bad faith, that the PGP file was likely
evidence of a crime and therefore could be seized.

The magistrate further found that the key logger was a reasonable method
for obtaining the pass phrase, and that a covert "search" for the pass
phrase was appropriate. The government therefore contends that, under the
Fourth Amendment itself, the "search" was reasonable, supported by a
warrant and affidavits, and based upon probable cause.

What distinguishes this case from most Fourth Amendment cases is the fact
that the items to be searched for and seized did not exist at the time the
court order was in effect. The government did not describe to the
magistrate how the key logger would accomplish the minimization
requirements inherent in the Fourth Amendment.

How, for example, could the key logger distinguish between a PGP pass
phrase (covered by the seizure order) and a letter to Scarfo's attorney
(protected by attorney client privilege)? Was the "minimization" to be
accomplished after the fact --- that is, all keystrokes were to be
captured, but government agents would only read the ones that were
relevant to the court order? Indeed, the government's affidavit in support
of the key logger order is remarkable in its lack of detail about what is
presumably a new and legally untested technology.

In a recent case involving the government's use of infrared monitors to
peer virtually inside a home without a warrant to determine whether a
suspect was using heat lamps to grow marijuana, the United States Supreme
Court ruled that the invasive use of new technology violated the Fourth
Amendment. In doing so, the Court relied heavily on specific findings
about the nature of the infrared device, precisely what it did, how it
worked, and what it was able to capture, in determining the extent to
which it invaded privacy.

No such information was provided by the government, either to the
Magistrate or the District Court to effectively evaluate the use of this
new keystroke logging technology. Indeed, the Magistrate was never told
that the technology he was authorizing was classified for national
security purposes, and that its disclosure would result in irreparable
harm to national security. It was effectively described as a run of the
mill search warrant.

SEARCH WARRANTS AND WIRETAP. The Federal Rules of Criminal Procedure generally requires at the time of
a search that the person searched be provided with a copy of the warrant
and an inventory of what was seized. In the Scarfo case, it is unclear
when the search and seizure occurred. Was it when the key logger was
installed? Did each keystroke log constitute a separate search? Was the
search accomplished when the government retrieved the log files, or only
when government agents examined the results of the logs?

In the Scarfo case, the government specifically requested that the
magistrate excuse the requirements of notice and disclosure, and the court
did so. Thus, the failure to leave an inventory or provide notice was
lawfully excused, but the metaphysical question of when the search
occurred or whether it was "reasonable" remains unanswered.

The most difficult aspect of the case is the application of the federal
wiretap law and the Electronic Communications Privacy Act to the
government's actions. Federal law distinguishes between a "search" for
evidence of a crime and an "interception" of either aural or electronic
communications.

For example, if the government has probable cause to believe that there is
evidence of a crime contained on your computer, they may obtain a simple
search warrant for that computer, with no need for a wiretap order, even
if there are emails or other "communications" contained on the hard drive.

If, on the other hand the government wants to read your emails in
transmission, (or listen to your telephone calls, or install an audio
"bug" in your house) it must obtain a special order, called a Title III
order which severely limits what the government can do. The order must be
approved by high-level Justice Department officials, can only be effective
for 30 days at a time, and significant efforts must be made to ensure that
only matters covered by the court order are examined.

Further complicating the issue is the fact that the law may distinguish
between the interception of email "in transmission" and email that is
stored -- even temporarily. As a general rule, for the government to
obtain communications "in transmission" requires a Title III wiretap
order, to obtain them in "temporary storage" requires a search warrant,
and to obtain them in "permanent storage" requires a mere subpoena.

While the Ninth Circuit federal court of appeals in California ruled that
acquisition of temporarily stored email requires a Title III wiretap order
(although the decision was "withdrawn" last week and no new order yet
issued), federal appellate courts in Texas and district courts in
Massachusetts and elsewhere have ruled that the interception must be while
the email is "in transmission" to trigger the more stringent Title III
requirements.

The law makes no provision however for the interception of communications
"for transmission" but not yet "in transmission." Thus, as you type an
email on the screen, but have not yet pressed the "send" button, or as you
type an Instant Message on the computer but have not yet "transmitted" it,
is capture of these communications an "interception in transmission?" Is
the government "intercepting" Brian Regan's email when it virtually
"shoulder surfs" his computer with a camera under the authority only of a
search warrant and not a Title III order?

What distinguishes the Scarfo case is the fact that the key logger, while
intending to capture only a PGP key typed (whether or not the modem was
engaged) may also have captured keystrokes that represented communications
in transmission. The government's position on the legality of this
monitoring is unclear. The government may be contending that the
interception of emails, web traffic or other electronic communications is
permissible under the lower search warrant standard using the key logger,
so long as the key logger captures the communications before they leave
the computer en route to the Internet.

Alternatively, the government may be arguing that the specific file at
issue in this case, the PGP pass phrase, was not in transmission, and
therefore could be lawfully seized even if other matters were captured
"for transmission."

The United States Supreme Court addressed a similar issue in 1942 when it
ruled that the installation of an audio "bug" adjacent to a lawyer's
office that would pick up the attorney's end of his conversations on the
telephone did not come within the ambit of the federal interception law.
The Supreme Court noted that "What is protected is the message itself
throughout the course of its transmission by the instrumentality or agency
of transmission." The court concluded that the listening in the next room
to the words of the target as he talked into the telephone receiver was
not an interception of a wire communication any more "than would have been
the overhearing of the conversation by one sitting in the same room."

In this case, the court tied the target's expectation of privacy to the
physical trespass necessary to invade such privacy. Because no physical
trespass was required, the majority of the court in 1942 concluded, no
invasion of privacy occurred. This literalistic approach was, however,
rejected by the court in an electronic surveillance case in 1967 involving
a tap placed on the outside of a telephone booth, and by the current
Supreme Court in considering the use of the infrared monitors which
required no physical trespass.

UNLEASHING THE TROJANS. If the government seriously takes the position that the interception
triggered by the wiretap law and ECPA occurs only at the modem or other
device, and not between the keyboard and CPU, this represents a dangerous
expansion of the law that could vitiate the need for the government to
ever obtain a Title III order.

Programs such as the BO2k and Sub7 Trojans, or WinWhatWhere, or Monitorer
can be surreptitiously installed on a target computer and ordered to
capture keystrokes, in real time, before they are transmitted to the web.
They can further be used to transmit the results of these "searches" to
law enforcement or intelligence agents in real time over the Internet or
by direct dial-back.

If the government seriously takes the position that Title III is
implicated only past the network interface, then privacy rights are
effectively nullified.

For now, the government is resisting disclosure of the mechanism by which
the key logger captures information as both irrelevant and protected for
national security purposes. However, knowing at a minimum what the logger
captures, how it captures it, when it captures it, and how it restricts
what it captures, is essential for the court, the defense, and for society
generally to evaluate what privacy regime applies to the new technology.

As the Supreme Court noted in the infrared search case in June of this
year, "It would be foolish to contend that the degree of privacy secured
to citizens by the Fourth Amendment has been entirely unaffected by the
advance of technology."

Knowing what the technology is and how it works is the first step to
evaluating its affect on privacy. While the government should be permitted
to use legitimate surveillance techniques, their use and growth must be
effectively scrutinized by the courts, the press, and the public at large
with as full disclosure as possible.

Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive
Systems Inc. in Reston, Virginia, a computer security and network design
consulting firm. Prior to joining Predictive Systems, Mr. Rasch was the
head of the U.S. Department of Justice Computer Crime Unit and prosecuted
a series of high profile computer crime cases from 1984 to 1991.

To continue reading this article you must be a Bloomberg Professional Service Subscriber.